feat: use random nonces for AddPieces (#317)

Allows for non-sequential piece additions. PDPVerifier allocates its own
pieceIds according to order added, we receive that as firstAdded and use
it to refer to the same pieceIds as PDPVerifier. Now, instead of using
firstAdded as a nonce, we allow for random nonces that the user now
supplies separately in extraData.

* Adds a new "nonce" into extraData
* Repurposes clientDataSetIds as clientNonces
* Moves signature to the end of extraData to be consistent with
CreateDataSet

Closes: #305

Author: rvagg

service_contracts/abi/FilecoinWarmStorageServiceStateLibrary.abi.json

@@ -20,7 +20,7 @@
   },
   {
     "type": "function",
-    "name": "clientDataSetIds",
+    "name": "clientDataSets",
     "inputs": [
       {
         "name": "service",
@@ -31,25 +31,20 @@
         "name": "payer",
         "type": "address",
         "internalType": "address"
-      },
-      {
-        "name": "clientDataSetId",
-        "type": "uint256",
-        "internalType": "uint256"
       }
     ],
     "outputs": [
       {
-        "name": "",
-        "type": "uint256",
-        "internalType": "uint256"
+        "name": "dataSetIds",
+        "type": "uint256[]",
+        "internalType": "uint256[]"
       }
     ],
     "stateMutability": "view"
   },
   {
     "type": "function",
-    "name": "clientDataSets",
+    "name": "clientNonces",
     "inputs": [
       {
         "name": "service",
@@ -60,13 +55,18 @@
         "name": "payer",
         "type": "address",
         "internalType": "address"
+      },
+      {
+        "name": "nonce",
+        "type": "uint256",
+        "internalType": "uint256"
       }
     ],
     "outputs": [
       {
-        "name": "dataSetIds",
-        "type": "uint256[]",
-        "internalType": "uint256[]"
+        "name": "",
+        "type": "uint256",
+        "internalType": "uint256"
       }
     ],
     "stateMutability": "view"

service_contracts/abi/FilecoinWarmStorageServiceStateView.abi.json

@@ -25,43 +25,43 @@
   },
   {
     "type": "function",
-    "name": "clientDataSetIds",
+    "name": "clientDataSets",
     "inputs": [
       {
         "name": "payer",
         "type": "address",
         "internalType": "address"
-      },
-      {
-        "name": "clientDataSetId",
-        "type": "uint256",
-        "internalType": "uint256"
       }
     ],
     "outputs": [
       {
-        "name": "",
-        "type": "uint256",
-        "internalType": "uint256"
+        "name": "dataSetIds",
+        "type": "uint256[]",
+        "internalType": "uint256[]"
       }
     ],
     "stateMutability": "view"
   },
   {
     "type": "function",
-    "name": "clientDataSets",
+    "name": "clientNonces",
     "inputs": [
       {
         "name": "payer",
         "type": "address",
         "internalType": "address"
+      },
+      {
+        "name": "nonce",
+        "type": "uint256",
+        "internalType": "uint256"
       }
     ],
     "outputs": [
       {
-        "name": "dataSetIds",
-        "type": "uint256[]",
-        "internalType": "uint256[]"
+        "name": "",
+        "type": "uint256",
+        "internalType": "uint256"
       }
     ],
     "stateMutability": "view"

service_contracts/src/FilecoinWarmStorageService.sol

@@ -236,7 +236,13 @@ contract FilecoinWarmStorageService is
     mapping(uint256 dataSetId => bool) private provenThisPeriod;
 
     mapping(uint256 dataSetId => DataSetInfo) private dataSetInfo;
-    mapping(address payer => mapping(uint256 clientDataSetId => uint256)) private clientDataSetIds;
+
+    // Replay protection: tracks used nonces for both CreateDataSet and AddPieces operations.
+    // Stores packed data: upper 128 bits = cumulative piece count after AddPieces or 0 for CreateDataSet,
+    // lower 128 bits = dataSetId. For AddPieces, stores (firstAdded + pieceData.length) which is the
+    // next piece ID that would be assigned, providing historical data about dataset state after the operation.
+    mapping(address payer => mapping(uint256 nonce => uint256)) private clientNonces;
+
     mapping(address payer => uint256[]) private clientDataSets;
     mapping(uint256 pdpRailId => uint256) private railToDataSet;
 
@@ -524,10 +530,10 @@ contract FilecoinWarmStorageService is
         address payee = serviceProviderRegistry.getProviderPayee(providerId);
 
         require(
-            clientDataSetIds[createData.payer][createData.clientDataSetId] == 0,
+            clientNonces[createData.payer][createData.clientDataSetId] == 0,
             Errors.ClientDataSetAlreadyRegistered(createData.clientDataSetId)
         );
-        clientDataSetIds[createData.payer][createData.clientDataSetId] = dataSetId;
+        clientNonces[createData.payer][createData.clientDataSetId] = dataSetId;
         clientDataSets[createData.payer].push(dataSetId);
 
         // Verify the client's signature
@@ -668,7 +674,7 @@ contract FilecoinWarmStorageService is
             Errors.PaymentRailsNotFinalized(dataSetId, info.pdpEndEpoch)
         );
 
-        // NOTE keep clientDataSetIds[payer][clientDataSetId] to prevent replay
+        // NOTE keep clientNonces[payer][clientDataSetId] to prevent replay
 
         // Remove from client's dataset list
         uint256[] storage clientDataSetList = clientDataSets[payer];
@@ -704,11 +710,11 @@ contract FilecoinWarmStorageService is
 
     /**
      * @notice Handles pieces being added to a data set and stores associated metadata
-     * @dev Called by the PDPVerifier contract when pieces are added to a data set
+     * @dev Called by the PDPVerifier contract when pieces are added to a data set.
      * @param dataSetId The ID of the data set
-     * @param firstAdded The ID of the first piece added
+     * @param firstAdded The ID of the first piece added (from PDPVerifier, used for piece ID assignment)
      * @param pieceData Array of piece data objects
-     * @param extraData Encoded metadata, and signature
+     * @param extraData Encoded (nonce, metadata keys, metadata values, signature)
      */
     function piecesAdded(uint256 dataSetId, uint256 firstAdded, Cids.Cid[] memory pieceData, bytes calldata extraData)
         external
@@ -723,8 +729,13 @@ contract FilecoinWarmStorageService is
         address payer = info.payer;
         require(extraData.length > 0, Errors.ExtraDataRequired());
         // Decode the extra data
-        (bytes memory signature, string[][] memory metadataKeys, string[][] memory metadataValues) =
-            abi.decode(extraData, (bytes, string[][], string[][]));
+        (uint256 nonce, string[][] memory metadataKeys, string[][] memory metadataValues, bytes memory signature) =
+            abi.decode(extraData, (uint256, string[][], string[][], bytes));
+
+        // Validate nonce hasn't been used (replay protection)
+        require(clientNonces[payer][nonce] == 0, Errors.ClientDataSetAlreadyRegistered(nonce));
+        // Mark nonce as used, storing cumulative piece count (next piece ID) in upper bits
+        clientNonces[payer][nonce] = ((firstAdded + pieceData.length) << 128) | dataSetId;
 
         // Check that we have metadata arrays for each piece
         require(
@@ -737,9 +748,7 @@ contract FilecoinWarmStorageService is
         );
 
         // Verify the signature
-        verifyAddPiecesSignature(
-            payer, info.clientDataSetId, pieceData, firstAdded, metadataKeys, metadataValues, signature
-        );
+        verifyAddPiecesSignature(payer, info.clientDataSetId, pieceData, nonce, metadataKeys, metadataValues, signature);
 
         // Store metadata for each new piece
         for (uint256 i = 0; i < pieceData.length; i++) {
@@ -1354,7 +1363,7 @@ contract FilecoinWarmStorageService is
      * @param payer The address of the payer who should have signed the message
      * @param clientDataSetId The ID of the data set
      * @param pieceDataArray Array of piece CID structures
-     * @param firstAdded The first piece ID being added
+     * @param nonce Client-chosen nonce for replay protection
      * @param allKeys 2D array where allKeys[i] contains metadata keys for piece i
      * @param allValues 2D array where allValues[i] contains metadata values for piece i
      * @param signature The signature bytes (v, r, s)
@@ -1363,16 +1372,14 @@ contract FilecoinWarmStorageService is
         address payer,
         uint256 clientDataSetId,
         Cids.Cid[] memory pieceDataArray,
-        uint256 firstAdded,
+        uint256 nonce,
         string[][] memory allKeys,
         string[][] memory allValues,
         bytes memory signature
     ) internal view {
         // Compute the EIP-712 digest
         bytes32 digest = _hashTypedDataV4(
-            SignatureVerificationLib.addPiecesStructHash(
-                clientDataSetId, firstAdded, pieceDataArray, allKeys, allValues
-            )
+            SignatureVerificationLib.addPiecesStructHash(clientDataSetId, nonce, pieceDataArray, allKeys, allValues)
         );
 
         // Delegate to library for verification

service_contracts/src/FilecoinWarmStorageServiceStateView.sol

@@ -22,14 +22,14 @@ contract FilecoinWarmStorageServiceStateView is IPDPProvingSchedule {
         return service.challengeWindow();
     }
 
-    function clientDataSetIds(address payer, uint256 clientDataSetId) external view returns (uint256) {
-        return service.clientDataSetIds(payer, clientDataSetId);
-    }
-
     function clientDataSets(address payer) external view returns (uint256[] memory dataSetIds) {
         return service.clientDataSets(payer);
     }
 
+    function clientNonces(address payer, uint256 nonce) external view returns (uint256) {
+        return service.clientNonces(payer, nonce);
+    }
+
     function filBeamControllerAddress() external view returns (address) {
         return service.filBeamControllerAddress();
     }

service_contracts/src/lib/FilecoinWarmStorageServiceLayout.sol

@@ -13,7 +13,7 @@ bytes32 constant PROVING_ACTIVATION_EPOCH_SLOT = bytes32(uint256(4));
 bytes32 constant PROVING_DEADLINES_SLOT = bytes32(uint256(5));
 bytes32 constant PROVEN_THIS_PERIOD_SLOT = bytes32(uint256(6));
 bytes32 constant DATA_SET_INFO_SLOT = bytes32(uint256(7));
-bytes32 constant CLIENT_DATA_SET_IDS_SLOT = bytes32(uint256(8));
+bytes32 constant CLIENT_NONCES_SLOT = bytes32(uint256(8));
 bytes32 constant CLIENT_DATA_SETS_SLOT = bytes32(uint256(9));
 bytes32 constant RAIL_TO_DATA_SET_SLOT = bytes32(uint256(10));
 bytes32 constant DATA_SET_METADATA_SLOT = bytes32(uint256(11));

service_contracts/src/lib/FilecoinWarmStorageServiceStateInternalLibrary.sol

@@ -78,16 +78,14 @@ library FilecoinWarmStorageServiceStateInternalLibrary {
         return CHALLENGES_PER_PROOF;
     }
 
-    function clientDataSetIds(FilecoinWarmStorageService service, address payer, uint256 clientDataSetId)
+    function clientNonces(FilecoinWarmStorageService service, address payer, uint256 nonce)
         internal
         view
         returns (uint256)
     {
         return uint256(
             service.extsload(
-                keccak256(
-                    abi.encode(clientDataSetId, keccak256(abi.encode(payer, StorageLayout.CLIENT_DATA_SET_IDS_SLOT)))
-                )
+                keccak256(abi.encode(nonce, keccak256(abi.encode(payer, StorageLayout.CLIENT_NONCES_SLOT))))
             )
         );
     }

service_contracts/src/lib/FilecoinWarmStorageServiceStateLibrary.sol

@@ -74,16 +74,14 @@ library FilecoinWarmStorageServiceStateLibrary {
         return CHALLENGES_PER_PROOF;
     }
 
-    function clientDataSetIds(FilecoinWarmStorageService service, address payer, uint256 clientDataSetId)
+    function clientNonces(FilecoinWarmStorageService service, address payer, uint256 nonce)
         public
         view
         returns (uint256)
     {
         return uint256(
             service.extsload(
-                keccak256(
-                    abi.encode(clientDataSetId, keccak256(abi.encode(payer, StorageLayout.CLIENT_DATA_SET_IDS_SLOT)))
-                )
+                keccak256(abi.encode(nonce, keccak256(abi.encode(payer, StorageLayout.CLIENT_NONCES_SLOT))))
             )
         );
     }

service_contracts/src/lib/SignatureVerificationLib.sol

@@ -26,7 +26,7 @@ library SignatureVerificationLib {
         keccak256("PieceMetadata(uint256 pieceIndex,MetadataEntry[] metadata)MetadataEntry(string key,string value)");
 
     bytes32 private constant ADD_PIECES_TYPEHASH = keccak256(
-        "AddPieces(uint256 clientDataSetId,uint256 firstAdded,Cid[] pieceData,PieceMetadata[] pieceMetadata)"
+        "AddPieces(uint256 clientDataSetId,uint256 nonce,Cid[] pieceData,PieceMetadata[] pieceMetadata)"
         "Cid(bytes data)" "MetadataEntry(string key,string value)"
         "PieceMetadata(uint256 pieceIndex,MetadataEntry[] metadata)"
     );
@@ -84,7 +84,7 @@ library SignatureVerificationLib {
 
     function addPiecesStructHash(
         uint256 clientDataSetId,
-        uint256 firstAdded,
+        uint256 nonce,
         Cids.Cid[] calldata pieceDataArray,
         string[][] calldata allKeys,
         string[][] calldata allValues
@@ -93,7 +93,7 @@ library SignatureVerificationLib {
             abi.encode(
                 ADD_PIECES_TYPEHASH,
                 clientDataSetId,
-                firstAdded,
+                nonce,
                 hashAllCids(pieceDataArray),
                 hashAllPieceMetadata(allKeys, allValues)
             )